#Password Security, #Privacy and Security

Password Security Of Top 100 Cryptocurrency Exchanges [2020]

  1. By Devanand Premkumar
  2. No Comments

23 May

Password Security - Top 100 Cryptocurrency Exchanges

The Most Competent Cryptocurrency Exchange in Password Security [2020]

Password Security Of Top 100 Cryptocurrency Exchanges is always going to be an evolving arena as more and more exchanges are getting into the big game of supporting end users cryptocurrency transactions.

Recently in the past few years, we have seen a huge uptick of data breaches and security breaches involving crypto currency exchanges.  For example, starting from smaller exchanges like Upbit to large giants like Binance, have faced security incidents.

This makes us wonder about the current state of security in cryptocurrency exchanges. With that question in mind, I analysed the password security of the top 100 cryptocurrency exchanges in Sep 2020.

Adding to that the third Bitcoin halving also got completed successfully making this year an ideal one to focus our attention more on crypto currencies.

Password Security Of Top 100 Cryptocurrency Exchanges [2020] was analysed in detail and the findings and observations are presented here for the benefit of all.

Password Security Of Top 100 Cryptocurrency Exchanges

The digital currencies of the future do change hands largely in exchanges.  As with the high volume of such transactions happening and which is also expected to grow exponentially, it is high time, as end-users, we need to be cognizant of the security compliances of such exchanges.

As users of these exchanges, how much do we know about their security compliance and what steps and defenses are being deployed by these exchanges for meeting regulatory and fund safety issues will not be known entirely outside such organisations for obvious security and confidential reasons.

How safe are our cryptocurrency exchanges on Password Security?

Credetial-Attempts
Source: Verizon DataBreach 2020

Historical breaches in cryptocurrency exchanges 

The few highlighted security breaches showcase the fact that there is a huge uptick in data breaches in cryptocurrency exchanges. We will also have to keep in mind that with the explosive nature of the crypto currency valuations, it is a huge target for all kinds of nefarious users and motives.

Source: Verizon DataBreach 2020

That being said, let us look at and analyse one aspect of exchange security compliance for the benefit of all cryptocurrency users.

As part of this seed idea, I have taken the top 100 exchanges from Coinmarketcap sorted based on their volume.

This sorted list of top 100 exchanges were analysed based on seven basic parameters related to password security.

The objective over here is not to find faults or to provide a ranking selection for crypto users. This exercise was done mainly as a personal exercise to understand the current state of password security considering the huge increase in data breaches.

Cryptocurrency is a very dynamic field and has very active participation from these exchanges. Having said that, all these exchanges strive to uphold their security to safeguard customer funds (SAFU) and to provide a safe environment for the public to transact.

This report was provided as a glass door view from the perspective of password security only.

0
Exchange Scored Above 80%
0
Exchanges Scoring Below 50%

How was this analysis conducted?

HowWeTest100CryptocurrencyExchanges

Analysis Parameters

The requirements were very clear.  I need to check only the password security.

As I am not checking anything other than the publicly available website interfaces using non-intrusive methodologies, I finalized the parameters of testing.

All the parameters were manually checked individually and assigned values based on observations. There were few, which we were not able to check and the same is also highlighted clearly in the detailed table shown below. Some of the reasons for not able to check include geo-fencing blocks enforced & site technical issues.

Most of the testing was done directly on the “Sign up” or  “Register” page  as part of creating an user account in exchanges. 

Since I was only looking at the password security of these exchanges, the below shown are the parameters used. Password Security Of Top 100 CryptoExchanges was arrived based on this model of calculation only.

Pretty simple and basic requirements for password security were analysed and their respective compliances mapped individually against each exchange and scored accordingly.

  • Parameter 1: Avoids Exposed Passwords
  • Parameter 2: Password Complexity
  • Parameter 3: Minimum Length Enforced
  • Parameter 4: No Maximum Length Enforced
  • Parameter 5: Visual Strength Indicator
  • Parameter 6: Special Characters Restricted
  • Parameter 7: Paste Enabled
Positive scoring is allocated if the exchange meets the individual requirements explained below. For every parameter assessed, they were awarded 1 point. So for the overall, it would be 7. Since I wanted to showcase the valuations in easy to understand terms, I converted the same to a percentage for easy understanding. Calculation formulae is also given below for your reference.
 

Let us get into a little bit in detail to understand the logic and get clarity on the assessment methodology used.

Do You Want To See The Full & Detailed Report ?

Get Me The Report
NIST-password compliant

Parameter 1: Avoids Exposed Passwords

Overall compliance with the ability to avoid exposed or breached parameter is the first parameter of this study. The primary objective is to check if password security is complying with one of the requirements of the guideline published by NIST.

Only 12% of cryptocurrency exchanges which successfully had a passing score in this criteria. Detailed NIST 800-63 requirements compliance are already elaborated for an easy read.

This also makes parameter-1 compliance as the lowest for all the 7 parameters analysed.

Parameter 2: Password Complexity

Password complexity is the most used and abused parameter of the password security requirement in most of the exchanges that we analysed.

Starting from strange and weird rules to requirements like having bits in calculation seemed too strange to me.

For example, one exchange rejected simple passwords stating it is a dictionary word, whereas another one rejected the same password stating its less than the required characters. In-consistency on the requirements of password complexity was observed across the board.

Number, alphabets and special characters mix were found to be the predominant requirements in most of the exchanges I analysed.  One exchange rejected a password because it has three zeros consecutively (XXXXXX000XXXXXXXXX). I am not even sure why is that a requirement in the password rules.

Even more interesting is the requirement of 8-20 bits rule enforcement. For the folks who understand bits and bytes, this will be pretty odd. 8 bits make one byte and one byte is the storage space used for one character. So instead of asking for 8-20 bytes, it was written as 8-20 bits. You know who you are and it is better to correct the technicalities particularly while you are running a sophisticated cryptoexchange handling currencies and fiat.

Around 69% of the exchanges complied with this requirement. Though password complexity is no longer a requirement from authentication standards and frameworks, it is still holding its position as a historical artifact from the earlier set password rules of online computing.

Parameter 3: Minimum Length Enforced

Can you believe the minimum number of letters in a password was observed as one in 2 exchanges? Unbelievable!

Roughly around 18% of the exchanges had their minimum password length set to 6 characters only. Six character password in 2020 can be easily broken within minutes if an unsafe password hashing algorithm is used at the back end.

Wonder if those exchanges do have any good reason not to use the length of 8 for password minimum length. As per NIST800-63, human set passwords should be at least 8 characters in length and all these exchanges are clearly not complying with the best practices as well as not complying with NIST800-63 as well.  72% of the exchanges complied with this minimum password character requirement.

Though NIST800-63 recommends 8 characters, it is generally advised to have 12-16 characters for a password to be considered secure nowadays.

It was observed that only four exchanges even had minimum password length greater than 8.

Reminds me of a funny password character requirement tweet. 😂

Parameter 4: No Maximum Length Enforced

On an average only 43% of the exchange was even allowing passwords lengths without any restrictions on size. Most of the length restrictions were predominantly between 6-20.
 
Alternatively 8-20 characters maximum length was observed in majority of the exchanges analysed.
 
As per best practices for password storing, any input character irrespective of the length is going to output only a limited number of characters. For example both the passwords “P@$w0rd” and “This-is-one-long-password-used-for-testing-the-size-of-the-storage” will be consuming the same amount of storage only based on the password hashing algorithm used.
 

That makes us wonder why to restrict the maximum length enforced. Earlier when passwords were stored as text (Oh yeah, it has and it is still happening), the size limitations were a constraint. However with the current cheap storage and cloud infrastructure, this should no longer be a constraint.

Parameter 5: Visual Strength Indicator

Many of us would have seen the visual password strength indicator while signing up for new online accounts.

Well that is one simple and useful guideline recommended by NIST 800-63.

As part of my analysis, I looked into the display of visual password strength indicator showing the exact strength of the password.

This served two purposes. One, it helps the end user to know their password security posture and secondly it also aligns with the NIST800-63 requirement.

Only 30% of the websites had visual password strength indicator. Remaining 70% did not have any kind of an input or feedback mechanism to inform the end user on their password’s strength.

Parameter 6: Special Characters Restricted

As per OWASP password special characters, the characters enclosed are allowed as valid characters. This needs to be allowed as part of password characters.

” !”#$%&'()*+,-./:;<=>?@[\]^_`{|}~” — List of special characters not allowed in few of the cryptocurrency exchanges as part of password.

If you look at the historical significance of disallowing these characters was the first step to restrict SQL injection in traditional web applications.

How ever with the current security technologies made available including the use of web application firewall, API & middle-ware (avoids direct database contact) these are no longer needed.

Unless the exchange is not having a proper web application firewall (highly unlikely in 2020), this is not needed to be restricted. Another point is that, we no longer have direct access to the databases and SQL injections through such channel is expected to be eliminated easily with middle-ware as part of the web application security architecture itself. 

All this being said, 7% of the cryptocurrency exchanges are still blocking one or more of these special characters.

Parameter 7: Paste Enabled

Last but not least.
 
The ability of an exchange to accept passwords through the Copy-Paste model or Password manager was our last criterion.
 
Most of the exchanges allowed the use of copy/paste passwords making it ideal to support and use password managers. The use of a password manager enhances the security posture of account safety.
 
Only one exchange did not allow paste operations on the password field.
 
I am happy to conclude with this criterion being the most complied with from the angle of password security.
CurrentStatus2020Top100CryptocurrencyExchanges

Top 10 Cryptocurrency Exchanges

Below shown are the Top 10 exchanges based on their scorecard. 

Coinbase Pro,  Bitrex, FTX and Bitpanda Pro scored 100% in implementing and complying with password security parameters used in this study. Cheers to them!

Want the entire raw data of this analysis?

Get The Raw Data

Got to admit that as much as the Top 10 high scores exchanges do need to be appreciated, the bottom 10 should look into their exchanges for password security.

Password Security Of Top 100 Cryptocurrency Exchanges

Now that we know, the parameters used in this analysis, the data arrived by looking at the exchanges are given below.  The calculation used to arrive at the final percentage of compliance is as follows:

Interesting observations :

  • Password length should be 8-32 bits. Wonder what will be the maximum password possible in that range. Any guesses ?!? 
  • Lowest minimum password length – 1. Really?😂
  • Bad password 00000000; Good password 123456
  • Is space in a password that bad?  One exchange had a rule which said the password cannot contain spaces at the beginning or at the end of any password.
  • 20, 30 & 32 were the maximum length of passwords in 37% of the exchanges.[Not sure what is so significant about these 3 numbers ]
  • Passwords with just numbers was a strict no-no in many exchanges irrespective of the size.

Password Security Best Practices:

Going by the analysis criteria, it would be good to see the crytocurrency exchanges further strengthen their password security complying with published guidelines.

To start with, password strength indicator and avoiding breached passwords are areas that have very low compliance.

Password length restriction removal would be another area to focus on. If best practices on password security are enforced as part of development guidelines in these exchanges, I am positive we can avoid lot many issues related to password security.

Conclusion

As highlighted in the introduction of this report, Password Security Of Top 100 Cryptocurrency Exchanges is going to be an always evolving and improving playground for sure.
 
There will be more and more exchanges that would positively strengthen their infrastructures, process, and applications. This will help all of us as end users to have a safe and secure environment to transact in cryptocurrencies.
 
As users, let us also strive to improve our individual account’s password security by following best practices highlighted.
 
Let us understand that password security is the key to our account’s safety and security. Let us make sure we inform and educate all our near and dear ones on the importance of good password hygiene.
 
Feel free to share in your observations from individual cryptocurrency exchanges on password security practices.
 

Good references:

No Comments